dcrat | 7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

General

Target

12dcc1cafbf752f84a12d3bed14cd6e2.exe
Size

2.6MB
MD5

12dcc1cafbf752f84a12d3bed14cd6e2
SHA1

9ebf8e2fef206cefff0cb2474f284869827e6e45
SHA256

7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445
SHA512

e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27
SSDEEP

49152:EZjcfg3kx6GhHszTNMdkdOYY/Z5K0eR/SRXtbqayyLsPZqGXkcZAo:nY0UwmOTBU5R+dbqzTB

Score

10^/10

dcrat evasion infostealer rat trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000173da-27.dat	dcrat
behavioral1/memory/2208-1-0x0000000000C00000-0x0000000000EA8000-memory.dmp	dcrat
behavioral1/files/0x0007000000019438-65.dat	dcrat
behavioral1/files/0x0007000000017487-73.dat	dcrat
behavioral1/files/0x000c00000001662e-100.dat	dcrat
behavioral1/files/0x00080000000173da-111.dat	dcrat
behavioral1/memory/3068-156-0x00000000008F0000-0x0000000000B98000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
3068	spoolsv.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	spoolsv.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\spoolsv.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\dwm.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\services.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsm.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCX69B4.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\System.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\services.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsm.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\RCX732E.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\RCX732D.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\c5b4cb5e9653cc	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\101b941d020240	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\dwm.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\6cb0b6c459d5d3	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\spoolsv.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCX6C26.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX6E3A.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX6ED7.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Windows Sidebar\f3b6ecef712a24	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\System.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\27d1bcfc3c54e0	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX64A1.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX653E.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\RCX69B3.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCX6BB8.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\56085415360792	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\tracing\System.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\tracing\27d1bcfc3c54e0	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\twain_32\RCX628C.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\tracing\RCX7543.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\tracing\System.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\ShellNew\wininit.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\ShellNew\RCX70FA.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\twain_32\spoolsv.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\twain_32\f3b6ecef712a24	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\twain_32\RCX628D.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\tracing\RCX7542.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File created	C:\Windows\twain_32\spoolsv.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\ShellNew\RCX712A.tmp	12dcc1cafbf752f84a12d3bed14cd6e2.exe
File opened for modification	C:\Windows\ShellNew\wininit.exe	12dcc1cafbf752f84a12d3bed14cd6e2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1804	schtasks.exe
3016	schtasks.exe
3052	schtasks.exe
792	schtasks.exe
2064	schtasks.exe
2976	schtasks.exe
2596	schtasks.exe
2320	schtasks.exe
1376	schtasks.exe
2600	schtasks.exe
1956	schtasks.exe
1924	schtasks.exe
2232	schtasks.exe
2008	schtasks.exe
1176	schtasks.exe
2856	schtasks.exe
2728	schtasks.exe
2932	schtasks.exe
2644	schtasks.exe
3012	schtasks.exe
2940	schtasks.exe
2016	schtasks.exe
2556	schtasks.exe
2152	schtasks.exe
2904	schtasks.exe
3000	schtasks.exe
552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2208	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2208	12dcc1cafbf752f84a12d3bed14cd6e2.exe
2208	12dcc1cafbf752f84a12d3bed14cd6e2.exe
3068	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe
3068	spoolsv.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3068	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Token: SeDebugPrivilege	3068	spoolsv.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2476	2208	12dcc1cafbf752f84a12d3bed14cd6e2.exe	58
PID 2208 wrote to memory of 2476	2208	12dcc1cafbf752f84a12d3bed14cd6e2.exe	58
PID 2208 wrote to memory of 2476	2208	12dcc1cafbf752f84a12d3bed14cd6e2.exe	58
PID 2476 wrote to memory of 2060	2476	cmd.exe	60
PID 2476 wrote to memory of 2060	2476	cmd.exe	60
PID 2476 wrote to memory of 2060	2476	cmd.exe	60
PID 2476 wrote to memory of 3068	2476	cmd.exe	61
PID 2476 wrote to memory of 3068	2476	cmd.exe	61
PID 2476 wrote to memory of 3068	2476	cmd.exe	61

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	12dcc1cafbf752f84a12d3bed14cd6e2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	spoolsv.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	spoolsv.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\12dcc1cafbf752f84a12d3bed14cd6e2.exe
"C:\Users\Admin\AppData\Local\Temp\12dcc1cafbf752f84a12d3bed14cd6e2.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kAjOCO0Mh2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2060
- - C:\Program Files (x86)\Windows Sidebar\spoolsv.exe
    "C:\Program Files (x86)\Windows Sidebar\spoolsv.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\services.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellNew\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\dwm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RCX6781.tmp

Filesize
2.6MB

MD5
02911d19174feb724cd47570d4188a58

SHA1
9b5a3e306b44cf73cb6b6f02b7355843029dcb8f

SHA256
dce2e3db78a32c0826767f5cb2c40f909b91d0db2209215939b5d6fbacc1df2e

SHA512
1de27f7ed6118691cfe59543a0f00c692d58ca46991ad7ecae936435cd79da97c4e56bee97bb8e14a9d9c171ef34789a812c47cc9b2991eb896be88f48c2c9b0

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\services.exe

Filesize
2.6MB

MD5
12dcc1cafbf752f84a12d3bed14cd6e2

SHA1
9ebf8e2fef206cefff0cb2474f284869827e6e45

SHA256
7080fb14c8ba10d8abfff9760872b9815bcebad6cf72651d4aae4ef919708445

SHA512
e6d535bbf3a65d225f7a6b8fd500952774a8664daea4e091fa9dd4d0a6538a150089ff38271ff345c91a76518c2094dbb59a2ff92d7fc24cdf2d66d4fcdd1a27

Download Submit
C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\services.exe

Filesize
2.6MB

MD5
450c32cc3d279a0a3a74a74f447fd09b

SHA1
05c724affad9d9d9ed1906093e955abb33ce45c0

SHA256
f35134c3694118f5d05f1d66cb0dcdf88404a7316e51e09943a4dca38c50e174

SHA512
68cbd16732e3eb7311709d0d1c7735814dd6c72c2cd2d18b71b12df4a9438a6b06ae45bb9a95e6b6308d7d243a538811287007bf14bced1210b22d15cc3acc62

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsm.exe

Filesize
2.6MB

MD5
0e3f52009f99fbf4cb884a8ed089ea8e

SHA1
bd0c698aa5dc90b09247368046eb0d92fb74c17d

SHA256
e91dc41d200c83aba8c846381212e4ff4b9fc4ee65bd598510ca1bcfdcb6a812

SHA512
01728ad68d56d667cdff9ba10f7b04e93227dfa81a743ccc02c6d92cd352f59f14959008d373494b5621caf3cf8f3c2cb98573ae75c3f567cdd318d00e4bda70

Download Submit
C:\Program Files (x86)\Windows Sidebar\spoolsv.exe

Filesize
2.6MB

MD5
95b24457a0d40eaefa6e973dee4ee0ce

SHA1
c0ff1661069f44768ddb9b705e91bd3120af9dbd

SHA256
d31854d02416a0abf9c25b62fd2b59285051eb6793fe9a384446a9986feb4f1d

SHA512
3aa2b647316c7e30f5f5ec8485a387e6f97aaf4f4db57e073acbf13ff86bd297b82e7975a8ee22f84f14acb313a3e5acbdda3cbc71cc06d6415b73cf0aed10af

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAjOCO0Mh2.bat

Filesize
215B

MD5
42282992f2e8e3e9ff14ef100e97bcb3

SHA1
0c3c05c60eaa21f1dbcef12353f105e031591985

SHA256
3c97f10e2edac4327d421f554cfd6ecb902806dee84deabd40c87af7a23a5942

SHA512
64fa33d8f1d0b9ec2629aa0f191a00b1ab8a8142386675d875c0608283ff304d804b5e0ee7b1c5cfdd720c3d0ef70261ac0e43a59263268050b9b612cb53b498

Download Submit
memory/2208-12-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2208-2-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/2208-11-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2208-10-0x000000001A8C0000-0x000000001A916000-memory.dmp

Filesize
344KB

Download
memory/2208-9-0x0000000002390000-0x000000000239A000-memory.dmp

Filesize
40KB

Download
memory/2208-8-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/2208-7-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

Filesize
88KB

Download
memory/2208-6-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2208-5-0x00000000005F0000-0x00000000005F8000-memory.dmp

Filesize
32KB

Download
memory/2208-4-0x00000000005D0000-0x00000000005EC000-memory.dmp

Filesize
112KB

Download
memory/2208-3-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/2208-13-0x000000001A930000-0x000000001A938000-memory.dmp

Filesize
32KB

Download
memory/2208-1-0x0000000000C00000-0x0000000000EA8000-memory.dmp

Filesize
2.7MB

Download
memory/2208-0-0x000007FEF5DB3000-0x000007FEF5DB4000-memory.dmp

Filesize
4KB

Download
memory/2208-14-0x000000001A940000-0x000000001A948000-memory.dmp

Filesize
32KB

Download
memory/2208-15-0x000000001A950000-0x000000001A95C000-memory.dmp

Filesize
48KB

Download
memory/2208-16-0x000000001A960000-0x000000001A96E000-memory.dmp

Filesize
56KB

Download
memory/2208-17-0x000000001A970000-0x000000001A97C000-memory.dmp

Filesize
48KB

Download
memory/2208-18-0x000000001A980000-0x000000001A98A000-memory.dmp

Filesize
40KB

Download
memory/2208-153-0x000007FEF5DB0000-0x000007FEF679C000-memory.dmp

Filesize
9.9MB

Download
memory/3068-156-0x00000000008F0000-0x0000000000B98000-memory.dmp

Filesize
2.7MB

Download
memory/3068-157-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads